Compare commits

..

8 commits

19 changed files with 806 additions and 762 deletions

6
.ansible-lint Normal file
View file

@ -0,0 +1,6 @@
skip_list:
- "yaml[line-length]"
- "name[casing]"
exclude_paths:
- .forgejo/

15
.editorconfig Normal file
View file

@ -0,0 +1,15 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
indent_style = space
charset = utf-8
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.yaml]
indent_size = 2

View file

@ -0,0 +1,19 @@
# Links & Resources:
# https://github.com/ansible/ansible-lint?tab=readme-ov-file#using-ansible-lint-as-a-github-action
on:
pull_request:
push:
jobs:
ansible-lint:
name: Ansible Lint
runs-on: docker
steps:
- uses: actions/checkout@v4
- name: miau
run: |
apt update
- name: Run ansible-lint
uses: https://github.com/ansible/ansible-lint@main
with:
setup_python: "false"

6
.yamllint.yaml Normal file
View file

@ -0,0 +1,6 @@
rules:
brackets:
min-spaces-inside: 1
max-spaces-inside: 1
min-spaces-inside-empty: 1
max-spaces-inside-empty: 1

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/ccchoir/compose.yaml.j2') }}"
docker_compose__configuration_files: []
docker_compose__configuration_files: [ ]
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pad/compose.yaml.j2') }}"
docker_compose__configuration_files: []
docker_compose__configuration_files: [ ]
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pretalx/compose.yaml.j2') }}"
docker_compose__configuration_files: []
docker_compose__configuration_files: [ ]
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,5 +1,5 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/zammad/compose.yaml.j2') }}"
docker_compose__configuration_files: []
docker_compose__configuration_files: [ ]
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -1,10 +1,9 @@
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus:9090
isDefault: true
access: proxy
editable: true
- name: Prometheus
type: prometheus
url: http://prometheus:9090
isDefault: true
access: proxy
editable: true

View file

@ -5,110 +5,110 @@ global:
alerting:
alertmanagers:
- scheme: http
timeout: 10s
static_configs:
- targets:
- "alertmanager:9093"
- scheme: http
timeout: 10s
static_configs:
- targets:
- "alertmanager:9093"
rule_files:
- "/etc/prometheus/rules/*.rules.yaml"
scrape_configs:
- job_name: prometheus
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- localhost:9090
- job_name: alertmanager
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- alertmanager:9093
- job_name: c3lingo
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /mumblestats/metrics
scheme: https
static_configs:
- targets:
- mumble.c3lingo.org:443
- job_name: mumble
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /metrics
scheme: https
static_configs:
- targets:
- mumble.hamburg.ccc.de:443
- job_name: opnsense-ccchh
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- 185.161.129.132:9100
- job_name: jitsi
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- jitsi.hamburg.ccc.de:9888 # Jitsi Video Bridge
- job_name: 'pve'
static_configs:
- targets:
- 212.12.48.126 # chaosknoten
metrics_path: /pve
params:
module: [default]
cluster: ['1']
node: ['1']
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: pve-exporter:9221
- job_name: hosts
static_configs:
# Wieske Chaosknoten VMs
- labels:
site: wieske
type: virtual_machine
hypervisor: chaosknoten
targets:
- netbox-intern.hamburg.ccc.de:9100
- matrix-intern.hamburg.ccc.de:9100
- public-web-static-intern.hamburg.ccc.de:9100
- git-intern.hamburg.ccc.de:9100
- forgejo-actions-runner-intern.hamburg.ccc.de:9100
- eh22-wiki-intern.hamburg.ccc.de:9100
- nix-box-june-intern.hamburg.ccc.de:9100
- mjolnir-intern.hamburg.ccc.de:9100
- woodpecker-intern.hamburg.ccc.de:9100
- penpot-intern.hamburg.ccc.de:9100
- jitsi.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- ccchoir-intern.hamburg.ccc.de:9100
- tickets-intern.hamburg.ccc.de:9100
- keycloak-intern.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- pad-intern.hamburg.ccc.de:9100
- wiki-intern.hamburg.ccc.de:9100
- zammad-intern.hamburg.ccc.de:9100
- pretalx-intern.hamburg.ccc.de:9100
- labels:
site: wieske
type: physical_machine
targets:
- chaosknoten.hamburg.ccc.de:9100
- job_name: prometheus
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- localhost:9090
- job_name: alertmanager
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- alertmanager:9093
- job_name: c3lingo
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /mumblestats/metrics
scheme: https
static_configs:
- targets:
- mumble.c3lingo.org:443
- job_name: mumble
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /metrics
scheme: https
static_configs:
- targets:
- mumble.hamburg.ccc.de:443
- job_name: opnsense-ccchh
honor_timestamps: true
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- 185.161.129.132:9100
- job_name: jitsi
honor_timestamps: true
scrape_interval: 5s
scrape_timeout: 1s
metrics_path: /metrics
scheme: http
static_configs:
- targets:
- jitsi.hamburg.ccc.de:9888 # Jitsi Video Bridge
- job_name: 'pve'
static_configs:
- targets:
- 212.12.48.126 # chaosknoten
metrics_path: /pve
params:
module: [ default ]
cluster: [ '1' ]
node: [ '1' ]
relabel_configs:
- source_labels: [ __address__ ]
target_label: __param_target
- source_labels: [ __param_target ]
target_label: instance
- target_label: __address__
replacement: pve-exporter:9221
- job_name: hosts
static_configs:
# Wieske Chaosknoten VMs
- labels:
site: wieske
type: virtual_machine
hypervisor: chaosknoten
targets:
- netbox-intern.hamburg.ccc.de:9100
- matrix-intern.hamburg.ccc.de:9100
- public-web-static-intern.hamburg.ccc.de:9100
- git-intern.hamburg.ccc.de:9100
- forgejo-actions-runner-intern.hamburg.ccc.de:9100
- eh22-wiki-intern.hamburg.ccc.de:9100
- nix-box-june-intern.hamburg.ccc.de:9100
- mjolnir-intern.hamburg.ccc.de:9100
- woodpecker-intern.hamburg.ccc.de:9100
- penpot-intern.hamburg.ccc.de:9100
- jitsi.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- ccchoir-intern.hamburg.ccc.de:9100
- tickets-intern.hamburg.ccc.de:9100
- keycloak-intern.hamburg.ccc.de:9100
- onlyoffice-intern.hamburg.ccc.de:9100
- pad-intern.hamburg.ccc.de:9100
- wiki-intern.hamburg.ccc.de:9100
- zammad-intern.hamburg.ccc.de:9100
- pretalx-intern.hamburg.ccc.de:9100
- labels:
site: wieske
type: physical_machine
targets:
- chaosknoten.hamburg.ccc.de:9100

View file

@ -5,21 +5,21 @@ services:
container_name: mailman-core
hostname: mailman-core
volumes:
- /opt/mailman/core:/opt/mailman/
- /opt/mailman/core:/opt/mailman/
stop_grace_period: 30s
links:
- database:database
- database:database
depends_on:
- database
- database
environment:
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb
- DATABASE_TYPE=postgres
- DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86
- MTA=postfix
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb
- DATABASE_TYPE=postgres
- DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86
- MTA=postfix
ports:
- "127.0.0.1:8001:8001" # API
- "127.0.0.1:8024:8024" # LMTP - incoming emails
- "127.0.0.1:8001:8001" # API
- "127.0.0.1:8024:8024" # LMTP - incoming emails
networks:
mailman:
@ -29,36 +29,36 @@ services:
container_name: mailman-web
hostname: mailman-web
depends_on:
- database
- database
links:
- mailman-core:mailman-core
- database:database
- mailman-core:mailman-core
- database:database
volumes:
- /opt/mailman/web:/opt/mailman-web-data
- /opt/mailman/web:/opt/mailman-web-data
environment:
- DATABASE_TYPE=postgres
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb
- "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org"
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86
- SERVE_FROM_DOMAIN=lists.hamburg.ccc.de
- SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt
- MAILMAN_ADMIN_USER=ccchh-admin
- MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de
- DATABASE_TYPE=postgres
- DATABASE_URL=postgresql://mailman:wvQjbMRnwFuxGEPz@database/mailmandb
- "DJANGO_ALLOWED_HOSTS=lists.hamburg.ccc.de,lists.c3lingo.org"
- HYPERKITTY_API_KEY=ITfRjushI6FP0TLMnRpZxlfB2e17DN86
- SERVE_FROM_DOMAIN=lists.hamburg.ccc.de
- SECRET_KEY=ugfknEYBaFVc62R1jlIjnkizQaqr7tSt
- MAILMAN_ADMIN_USER=ccchh-admin
- MAILMAN_ADMIN_EMAIL=tony@cowtest.hamburg.ccc.de
ports:
- "127.0.0.1:8000:8000" # HTTP
- "127.0.0.1:8080:8080" # uwsgi
- "127.0.0.1:8000:8000" # HTTP
- "127.0.0.1:8080:8080" # uwsgi
networks:
mailman:
database:
restart: unless-stopped
environment:
- POSTGRES_DB=mailmandb
- POSTGRES_USER=mailman
- POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz
- POSTGRES_DB=mailmandb
- POSTGRES_USER=mailman
- POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz
image: postgres:12-alpine
volumes:
- /opt/mailman/database:/var/lib/postgresql/data
- /opt/mailman/database:/var/lib/postgresql/data
networks:
mailman:
@ -68,5 +68,5 @@ networks:
ipam:
driver: default
config:
-
subnet: 172.19.199.0/24
-
subnet: 172.19.199.0/24

View file

@ -1,15 +1,15 @@
- name: update, upgrade and potentially reboot
become: true
block:
- name: apt-get update
ansible.builtin.apt:
update-cache: true
- name: apt-get update
ansible.builtin.apt:
update-cache: true
- name: apt-get dist-upgrade
ansible.builtin.apt:
upgrade: dist
register: apt_update_and_upgrade__upgrade_result
- name: apt-get dist-upgrade
ansible.builtin.apt:
upgrade: dist
register: apt_update_and_upgrade__upgrade_result
- name: reboot, after package upgrade
ansible.builtin.reboot:
when: apt_update_and_upgrade__upgrade_result.changed
- name: reboot, after package upgrade
ansible.builtin.reboot:
when: apt_update_and_upgrade__upgrade_result.changed

View file

@ -3,21 +3,21 @@
become: true
block:
- name: deploy `sshd_config`
ansible.builtin.template:
force: true
dest: /etc/ssh/sshd_config
mode: 0644
owner: root
group: root
src: sshd_config.j2
register: deploy_ssh_server_config__ssh_config_copy_result
- name: deploy `sshd_config`
ansible.builtin.template:
force: true
dest: /etc/ssh/sshd_config
mode: "0644"
owner: root
group: root
src: sshd_config.j2
register: deploy_ssh_server_config__ssh_config_copy_result
- name: deactivate short moduli
ansible.builtin.shell:
cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
- name: deactivate short moduli
ansible.builtin.shell:
cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
# Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- name: reboot, if ssh server config got changed
ansible.builtin.reboot:
when: deploy_ssh_server_config__ssh_config_copy_result.changed
# Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
- name: reboot, if ssh server config got changed
ansible.builtin.reboot:
when: deploy_ssh_server_config__ssh_config_copy_result.changed

View file

@ -4,4 +4,3 @@
user: chaos
exclusive: true
key: https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/raw/branch/trunk/authorized_keys

View file

@ -17,4 +17,4 @@ dependencies:
- role: docker_compose
vars:
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
docker_compose__configuration_files: []
docker_compose__configuration_files: [ ]

View file

@ -1,5 +1,5 @@
nginx__deploy_redirect_conf: true
nginx__deploy_tls_conf: true
nginx__configurations: []
nginx__configurations: [ ]
nginx__use_custom_nginx_conf: false
nginx__custom_nginx_conf: ""

View file

@ -7,11 +7,11 @@
when: nginx__use_custom_nginx_conf
block:
- name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false
when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists
ansible.builtin.copy:
force: true
dest: /etc/nginx/nginx.conf.ansiblesave
mode: 0644
mode: "0644"
owner: root
group: root
remote_src: true
@ -22,7 +22,7 @@
ansible.builtin.copy:
content: "{{ nginx__custom_nginx_conf }}"
dest: "/etc/nginx/nginx.conf"
mode: 0644
mode: "0644"
owner: root
group: root
become: true
@ -36,7 +36,7 @@
ansible.builtin.copy:
force: true
dest: /etc/nginx/nginx.conf
mode: 0644
mode: "0644"
owner: root
group: root
remote_src: true
@ -55,7 +55,7 @@
ansible.builtin.get_url:
force: true
dest: /etc/nginx-mozilla-dhparam
mode: 0644
mode: "0644"
url: https://ssl-config.mozilla.org/ffdhe2048.txt
become: true
notify: Restart `nginx.service`
@ -71,7 +71,7 @@
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/tls.conf
mode: 0644
mode: "0644"
owner: root
group: root
src: tls.conf
@ -89,7 +89,7 @@
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/redirect.conf
mode: 0644
mode: "0644"
owner: root
group: root
src: redirect.conf
@ -104,7 +104,7 @@
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
mode: 0644
mode: "0644"
owner: root
group: root
become: true